Sherman's Security Blog
I am Sherman Hand. (also known as Policysup) I have created this blog and will use a part of my day to write about what is going on in the world. I hope to discuss things in a down to earth and practical way. I hope to hear back from you on your thoughts. I do not in any way intend to speak for my employer. The content of this blog will be either opinions that are strictly mine, general observations,re posts, or information that is already in the public domain.

Making sure that our employees use complex and diverse passwords, both in and out of the workplace, is of vital importance. Not least because multitudes of confidential data could be at risk because of flimsy credentials, ones that are obvious and oft-repeated.

To demonstrate the necessity of adequate protection that also allows for the handling of many distinct passwords, a group of researchers has created a software that is capable of guessing passwords with only a small number of attempts. Specifically, with a little bit of the victim’s personal information, the tool would be able to hit upon the correct password testing fewer than a hundred possibilities.

It’s called TarGuess and was created by researchers at the Universities of Beijing and Fujian in China, and the University of Lancaster in the UK. According to their study, an attacker with sufficient personal information (username, a pet, family members, date of birth, or the destination of their most recent vacations) has a one in five chance of guessing their password in fewer than a hundred attempts.

All they’ve done with TarGuess is to automate the process with a tool that scours social networks for personal information that could later be used in its attempts.

Using this tool, the researches successfully guessed 20% of passwords of those participating in the study with only one hundred attempts. More strikingly, the success rate increases proportionally with the number of guesses. So with a thousand attempts TarGuess is able to get 25% of passwords, and with a million the success rate can climb up to 50%.

Moving beyond the controversial data breaches of platforms such as Yahoo or Dropbox, the main conclusion that this study draws is that many users’ passwords are not robust enough to withstand this kind of attack. And as if that wasn’t enough, these breaches have brought to light another risk: TarGuess reportedly detected that many of these credentials are used in other services, or at best have many similarities (constituting what they call “sister passwords”).

This investigation demonstrates once again the necessity of controlling what kind of information is published on social networks. An employee that ‘shares’ every moment of their life may be inadvertently helping a cyber attacker to learn their password, putting corporate data at risk.